Say if I have 2 different azure subscriptions individually and I create an azure vault and store a private key in it's HSM backed azure key vault container of the 1st subscription AND from different azure subscription I want to access the private key for signing an application..
Would that be possible?
In short, manage and store HSM backed key in one azure subscription and sign or validate an application with that private key from another azure subscription... is it possible?
Yes, It is possible when both the subscriptions are present on a Single tenant. So that you can assign required permissions on Management Plane and Data plane for the users or managed identities. As Managed HSM uses Azure AD authentication both the Subscriptions need to be in the same AzureAD tenant.
Reference:
Secure access to your managed HSMs Microsoft Documentation
Control Access to your managed HSM
Related
I have an issue how to auto renew Service Principals secrets in Key Vault Azure?
In short - you can't.
Azure KeyVault only provides the option to auto rotate keys. This feature enables end-to-end zero-touch key rotation for Azure services data encryption with customer-managed key (CMK) stored in Azure Key Vault.
https://azure.microsoft.com/en-us/updates/automated-key-rotation-in-azure-key-vault-is-now-available/
What you are trying to achieve is different. Azure AD Service principals are managed by Azure AD. So, you need some sort of automation which generates a new secret there and updates it in keyvault.
A better way (if possible) would be managed identity. Managed Identities can be used like service principals but a fully managed and the secrets are managed behind the scenes for you.
https://azure.microsoft.com/en-us/updates/automated-key-rotation-in-azure-key-vault-is-now-available/
2 different tenants (Subscription A in tenant A and Subscription B in tenant B)
We have one subscription in Azure cloud and we have setup Azure Keyvault. We can create keys there and use one of the key to encrypt disks of a virtual machine running in our subscription.
Our customer has their own Azure cloud subscription and for security and compliance purposes their requirement is that they must hold control of the key being used to encrypt disks of virtual machine in our subscription. For this we both have Azure keyvault with Premium tier and I was wondering if there is any guide which points out how to use Azure KeyVault HSM from Customer's subscription to create keys in to our subscription.
https://learn.microsoft.com/en-us/azure/key-vault/managed-hsm/hsm-protected-keys-byok
The above guide points out some of the vendors and how to use BYOK tool to transfer keys from HSM into Azure Keyvault.
We are looking for a way to use Azure KeyVault HSM from Customer's subscription to create keys in to our Azure Keyvault and which we can use to encrypt disks in our subscription.
Many thanks,
If you have the permissions to access the two subscriptions, you can create an Azure Management Group to manager the access of the subscriptions into this Management Group.
For more details, you can see the document about "Management Groups".
Answering for my own question as I have received an official response from Microsoft.
It looks like this is currently not supported. Please find below the link for more details on this.
https://learn.microsoft.com/en-us/answers/questions/743730/how-to-share-a-key-from-one-azure-keyvault-under-a.html?childToView=751516#answer-751516
I am trying to grant permissions to my Web App/API type application in Azure directory to use Azure Key Vault.
When I Required Permissions> Add API Access > Select an API, then there I can't find Azure Key Vault. I remember it was there before but not now. Where I can find it?
Image:
https://ibb.co/dswdXq
Behavior shown in your image - Azure Key Vault missing from "Select an API" blade
I have seen the behavior your image shows for a new Azure subscription, only when there were no Key Vaults so far in the Azure subscription linked to that Azure Active Directory.
Once you create a new Key Vault (you don't even need to add any keys), "Azure Key Vault" shows up while adding permissions to your app registrations in Azure AD (same steps as your image). At least, that's how it worked in my case.
Special case worth mention
You can create multiple Azure AD's in your Azure subscription and register your applications in any of them. Azure Key Vault although works in a special way and is linked to only one Azure AD, this is the Azure AD that your Azure subscription trusts (Azure Subscription also trusts only one Azure AD). So you could also run into the behavior shown in your image if you're registering application in a different Azure AD than the one your Azure subscription trusts.
Granting permissions to your Web App/API to use Key Vault
In most cases it's not even required to do the steps you're showing in your image, just for a web application to be able to access key vault since that is controlled by Azure Key Vault access policies. #junnas has already explained this part very well so you can refer to that.
You can go to your Key Vault -> Access Policies -> Add, and create a new policy for the app.
Select the app as the principal, and give it the access you want.
You don't need to touch the Authorized application option.
You should then be able to acquire tokens for Key Vault using the client id and secret (or certificate).
Key Vault does not require that you assign it to an app, unless you wanted to do delegated access.
In fact any app can acquire a token for any API that exists as a service principal in your tenant (and Key Vault does).
Of course the token itself won't contain any permissions, but Key Vault has their own access management (access policies).
Basically I have a setup where I have
Hub-Spoke subscription and vnet topology in azure.
AAD for internal users and developer access and b2c for external
users.
AAD and Keyvault are in HUB subscription/VNET.
APIs which are deployed in Azure AKS clusters are in the spoke subscription.
Also have API Management fronting the APIs which is in the same
subscription and VNET as the AKS/APIs so in the Spoke subscription
Given the setup above, I have these questions
Do all the APIs, API management, Keyvault and Azure AD need to be
tied to the same subscription or can I have Keyvault in my hub
subcription and other services in different subscriptions.
Do we register each API as an app in the same AAD as
KEYVAULT or can we just register the API management and use API
management to get the secrets.
Can we use managed service identity, even if the components are in
different subscriptions but registered with the same Azure AD
Authentication in Azure is done at a tenant level, so presuming you're not using the advanced services for Key Vault (ARM access, VM encryption etc) you can have your Key Vault in one subscription and access that from MSI in a difference subscription - as long as you grant that MSI user permissions to the key vault.
As long as you grant permissions to the resource, AAD has very little awareness of subscriptions (subscriptions are basically one big resource that you can grant privileges to)
Edited to clarify advanced access policies
There are three advanced access policies for key vault.
enabledForDeployment
enabledForDiskEncryption
enabledForTemplateDeployment
the enabledForTemplateDeployment policy only applies if you are reading a secret from an ARM template deployment. i.e. if you are passing a VM password directly from Key vault.
For your situation, if this is a requirement, then you could simply have those being placed in a different key vault located in the same subscription.
Our application doesn't use keyvault until now. We are thinking of using Azure KeyVault to enforce security for keys, secrets and certificates. I read microsoft documentation on this Link. It's not clear that Azure KeyVault works with identity providers other than Azure AD. Because we are not using Azure AD but we are using Azure app service and storage account. we also want to implement key rotation with 1 hour expiry.
My questions are
Should the web app be registered with Azure AD to use KeyVault ?
While creating an azure keyvault i didn't see any option about key rotation. Am i looking in the wrong place?
Any sample code would be helpful.
When you create a key vault in an Azure subscription, it is automatically associated with the subscription's Azure Active Directory tenant. All callers (users and applications) must be registered in this tenant to access this key vault. That means to access the keys and secrets stored inside the key vault, the requesting applications have to be added in Azure active directory and it also needs to have permissions to read keys and secrets in azure key vault.
Related tutorials below are for your reference :
Get started with Azure Key Vault
How to set up Key Vault with end to end key rotation and auditing -
This walks through how to set up key rotation and auditing with Azure
Key Vault.
Azure Key Vault Developer's Guide
Use Azure Key Vault from a Web Application